https://www.nemux.org/https://www.nemux.org/favicon.pngnemuxhttps://www.nemux.org/Ghost 2.22Sat, 25 May 2019 16:22:09 GMT60Again here to disclose a vulnerability found during a "sunday session" of vulnerability reserach.

Product description: StarTeam Agile provides support for scrum-based sprint planning, backlog management and tracking. StarTeam Agile’s enterprise-class planning and management capability is ideal for large development organizations which often have highly complex needs. It tightly integrates with the StarTeam or AccuRev SCM platforms for effective Agile change management.

Vulnerability

StarTeam Agile login URL is vulnerable to a Cross-site Scripting which permits an attacker to injects browser executable code within a single HTTP response.

In order to trigger the vulnerability an attacker has to inject the XSS payload in the vulnerable parameter:

loginfailed

Proof

https://starteamagile.tld/agile/login.jsp?loginfailed=[XSSPayload_Here]
GET /agile/login.jsp?loginfailed=%22;alert(document.cookie);//

After the GET request the loginfailed parameter's value reflects in a javascript block code as a variable's value.

CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:N)

Timeline (below a little recap, maybe i missed something...)

20 May 2016 Bug discovered

23 May 2016 Mitre contacted

24 May 2016 Vendor contacted and i got a reply: [...] We greatly appreciate your assistance and willingness to contact us. This information has been passed on to the development team for their initial review. As soon as we can, you will get an update [...]

25 May 2016 Vendor: [...] the development team has confirmed receipt of your finding and is investigating further [...]
...

22 July 2016, Vendor released a new patched version of the ATLAS Planning and
Tracking Suite Ver 3.2.1

Thank you Microfocus for the reference in the release note, appreciated! :)

Please enable JavaScript to view the comments powered by Disqus.
]]>My Last bug hunting session (for fun and no-profit) has been dedicated to libquicktime

Disclosure part

Let me make a little introduction... i'm sure this is not the only issue of this library. I suppose libquicktime needs a refactoring process (IMHO)

If you are a l33t hax0r you don't need to read the rest :)

Reading the code

When i was reading the library code, in util.c this "interesting" line caught my eye:

char len = quicktime_read_char(file);

Ok but... what's wrong?

Signed or unsigned, that is the question:
Negative numbers exist and we need to store them :) There is a mechanism to represent them using the binary code and it's by using the most significant bit (MSB) of a variable to determine the sign: if the MSB is set to 1, the variable is interpreted as negative; if it is set to 0, the variable is positive.

But take a look to the casting. The output value will be an unsigned int, but: is "char len" signed or unsigned?

(i'm going to reveal the murderer...)

The answer is in the "limits.h" header

The standard defines three types: char, signed char and unsigned char.

look at CHAR_MIN and CHAR_MAX in limits.h

limits.h

/* Minimum and maximum values a 'signed char' can hold. */

# define SCHAR_MIN (-128)

# define SCHAR_MAX 127

/* Maximum value an 'unsigned char' can hold. (Minimum is 0.) */

# define UCHAR_MAX 255

/* Minimum and maximum values a 'char' can hold. */

# ifdef __CHAR_UNSIGNED__

# define CHAR_MIN 0

# define CHAR_MAX UCHAR_MAX

# else

# define CHAR_MIN SCHAR_MIN

# define CHAR_MAX SCHAR_MAX

# endif

If we define __CHAR_UNSIGNED__ at compile time every char will be treated as unsigned... but we are in the default case where a char is signed, then minimum and maximum values a plain char can hold are: -128 to 127. But quicktime_read_data() stores an unsigned int which can hold an integer value from 0 to 255.

==Integer overflow happens when we try to store in the char len a value greater than 127. Since an integer is signed by default, an integer overflow can cause a change in signedness.

When it is incremented, the most significant bit
(indicating signedness) is set and the integer is interpreted as being
negative. And the trick is done! :) ==

QOTD

When a bug finally makes itself known, it can be exhilarating, like you just unlocked something. A grand opportunity waiting to be taken advantage of. (cit.)

In this case i got the "grand opportunity" to learn that in 2016 i can continue to see something what i saw when i was a child at the end of the '90s :)

Let's go trigger the bug!

That's the funniest thing. To trigger the bug there needs to be a way to call quicktime_read_pascal(). I found different ways to do that, here i will use the "hdlr" atom parser. (see hdlr.c)

Write-what-where is satisfied. (..."where" not completely here but that's another story)

Tips for sunday's hax0r:

at stsdtable.c:60

at ftab.c:67 quicktime_read_pascal() is called more times in a for cycle

End of the disclosure part

Mom i'm an Hacker now!

Please enable JavaScript to view the comments powered by Disqus.
]]>Have you got an Ubuntu server installation and you don't know what to do with it? You are in the right place... :)

I'm going to write this post as a reminder... then at the end of this post you should have a Virtualbox on a headless Ubuntu server up and

]]>https://www.nemux.org/2016/01/21/virtualbox-on-a-headless-ubuntu-and-phpvirtualbox/5a8472fbbbbb78001877dbe4Thu, 21 Jan 2016 15:08:16 GMTHave you got an Ubuntu server installation and you don't know what to do with it? You are in the right place... :)

I'm going to write this post as a reminder... then at the end of this post you should have a Virtualbox on a headless Ubuntu server up and running! (i hope...) and you will be able to manage it via a web browser using phpVirtualbox (Is it truly secure? Probably my next post will be about it)

Start Virtualbox

admin/admin will be your user and password... remember to change them if you don't want to be kidding by your friends

Please enable JavaScript to view the comments powered by Disqus.
]]>Keeping in mind that these are the steps that Arduino IDE follows when you upload a sketch on the board:

Copy <your_sketch>.hex

Merge your sketch with the bootloader

Program ATMega32u4

We can repeat those steps by hand in this way:

scp your_sketch.hex root@arduino.

]]>https://www.nemux.org/2015/10/30/upload-sketch-on-arduino-yun-from-command-line/5a8472fbbbbb78001877dbe3Fri, 30 Oct 2015 16:19:36 GMTKeeping in mind that these are the steps that Arduino IDE follows when you upload a sketch on the board:

Increase this...

...and start thinking

I have recently learned Frank Zappa told:

“Without deviation from the norm, progress is not possible.”

Then ME == F.Zappa? :)

]]>https://www.nemux.org/2015/10/14/without-deviation-from-the-norm-progress-is-not-possible-f-zappa/5a8472fbbbbb78001877dbe2Wed, 14 Oct 2015 18:11:46 GMTSome months ago i wrote that on another site...

Increase this...

...and start thinking

I have recently learned Frank Zappa told:

“Without deviation from the norm, progress is not possible.”

Then ME == F.Zappa? :)

Please enable JavaScript to view the comments powered by Disqus.
]]>I found this vulnerability during a security research session "for fun and no-profit" and i've released a PoC about that.

]]>https://www.nemux.org/2015/10/13/libsndfile-1-0-25-heap-overflow/5a8472fbbbbb78001877dbe1Tue, 13 Oct 2015 06:04:18 GMTI found this vulnerability during a security research session "for fun and no-profit" and i've released a PoC about that.

Jack AudioConnectionKit http://www.jackaudio.org

Adobe Audition http://www.adobe.com/products/audition.html

Audacity http://www.audacityteam.org/

Asterisk-eSpeak Module https://zaf.github.io/Asterisk-eSpeak/

<br
run an apt-cache rdepends libsndfile1 on ubuntu, to see other interesting dependencies
searching around i found that it's widely used on IOS and Android projects too

Vulnerability is based on the wrong management of the headindex and headend values.
While parsing a specially crafted AIFF header the attacker can manage index values in order to use memcpy(...) to overwrite memory heap.

To touch this bug with your hands take a look to aiff.c in the while(!done) { ... }, common.c and file_io.c
If someone needs more details i will spend more time to write a better post :)

VSR router likes your DNS traffic! There is no way to use alternative DNS server(... ehmm... i didn't find an alternative) this mechanism guarantees it to manage a process of enrollment browser-based for every new clients attached for the first time to the LAN.

VSR router likes your DNS traffic! There is no way to use alternative DNS server(... ehmm... i didn't find an alternative) this mechanism guarantees it to manage a process of enrollment browser-based for every new clients attached for the first time to the LAN.

No issue until you run a command like these (dummy and useless list below):

"wget httpserverurldownload"

"apt-get update"

on your linux server (then no issue until you make any kind of http traffic)

VSR will redirect all http requests to the enrollment HTML page which through a javascript code will get the client MAC address, records a new client in the VSR domain and gives a name to it. That happens just one time for every new host! But this situation could give you some little headache.

(1) Psss...
Do you understand that i wrote this "useless" post just to try "image upload" and "lists" on the ghost platform? If yes ill buy u a beer
(2) Psss...
I'm joking. I hope it can be useful to someone
(3) Psss...
No, i was not joking

Anyway, if you are wondering how can you use a non-standard ssh port this is the answer:

rsync --rsh='ssh -p NONSTANDARDPORT' ....

my little story... i've been searching for a solution to restore a broken scp transfer session based on a non standard port. Reading the manual (...honestly... i did not!) and googling around, et voilà: